Send CORS headers for all requests

[strk]

I found out that CORS headers are only sent in response to tile request, not to style settings or metadata etc.

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

[javisantana]

why enable CORS in those endpoints?

we are using CORS for images in order to be able to read pixel image data for i dont know if i makes sense to use in other styles/metadata

[strk]

On Mon, Aug 13, 2012 at 10:03:19AM -0700, javi santana wrote:

why enable CORS in those endpoints?

we are using CORS for images in order to be able to read pixel image data for i dont know if i makes sense to use in other styles/metadata

With no CORS I don't get error messages when sending bogus styles when
the tiler runs on port 8080 and main app on port 3000.

Not an issue if you hide port numbers behind a dispatcher.

Do you see drawbacks to enable CORS ?

--strk;

[javisantana]

my main concern is security here because you can run cross origin GET/POST.

but dont worry too much about it, we only need to take care of it.

[strk]

On Mon, Aug 13, 2012 at 10:13:39AM -0700, javi santana wrote:

my main concern is security here because you can run cross origin GET/POST.

but dont worry too much about it, we only need to take care of it.

Yeah, we're indeed weak there.
More automated testcases for failing requests should be added.

I suspect not all requests go trough the authentication phase.
But we're mostly talking about Windshaft-cartodb here, being the
only one knowing anything about authentication.

See CartoDB/Windshaft-cartodb#42

--strk;

http://www.cartodb.com - Map, analyze and build applications with your data

                                   ~~ http://strk.keybit.net

[strk]

a quick review reveals that we're indeed not checking any authorization for changing styles...
I thought we had a test for this ?

Beside, if the problem exist, it is not really something you can stop by disabling CORS.